Aliases: Email-Worm.Win32.Myba, I-Worm.Myba, Win32.HLLW.Myba, W32/Myba-A 
Variants: W32/[email protected], Win32/[email protected], WORM_MYBA.A, Worm/Myba.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 26 Feb 2001
Damage: Low

Characteristics: The W32.Mybabypic.Worm is malware that emails its code to all addresses it finds in the address book of the Microsoft Outlook installed in the victim machine. Once this worm is launched, it will email itself with an attachment of a distasteful two frame animation of a baby.

More details about W32.Mybabypic.Worm

Upon launching, the worm will create five copies of its code in the system. It will also perform several modifications to the registry by adding its values and entries and altering a registry entry. On particular times and dates, the W32.Mybabypic.Worm will connect to a website using one of its predetermined strings as its form parameter. It will then search for files on the infected machine’s hard drive and mapped drives. The worm will perform different actions for different files. The worm will corrupt files with .vbe and .vbs extension. For CPP, C, HTA, H, JSE, JS, PBL, PAS, WSH and SCT files, the malware will change the extension to .exe, delete the original file and then create a copy of its code using the new filename. On the other hand, the W32.Mybabypic.Worm will only attach the .exe file extension on files with JPEG or JPG extensions instead of changing the default file extension.

For files that have the MP3, M3U and MP2 file extensions, this security threat will get the filename, append the .exe file extension to it and then utilize the new filename for its copy. For example, if the infected file is XXX.MP3, the duplicate worm copy will have the filename XXX.MP3.EXE. The original file will not be deleted and instead have its attribute configured to hidden. This malicious program will likewise toggle the ScrollLock, CapsLock and NumLock keys. The W32.Mybabypic.Worm program can spread across the network through security exploits. This involves taking advantage of programming loopholes found in the system. The application can also spread via e-mail. It sends copies of itself to e-mail addresses stored in the system. The e-mail sent by the application has a variable subject line and attachment name. The attachment of the mail will have a PIF file extension that automatically executes when the recipient opens the e-mail.